Nmap is more powerful than you know. With a few scripts, we can extend functionality beyond a simple port scanner and identify details about target servers that system administrators do not want to know.

Perhaps the most popular and well-known enlightenment tool currently available in hacking world, Nmap has been repeatedly treated to zero bytes. For example, we showed how to recognize CVEs, automate brute-force attacks, and perform advanced exploration, to name just a few Nmap tutorials.

This article assumes readers have experience with Nmap fundamentals. I will target most of the commands on ports 80 and 443 ( -p80,443 ) as these are common web server ports. I will also tackle Nmap's NSE features with the script argument.

Most well-known for its ability to accurately identify ports on web servers, Nmap's NSE capabilities make it an extremely powerful multipurpose tool that scales well beyond a normal port scanner. In this multi-part Nmap series, I'll show you some of the advanced features for aggressively detecting Web server error pages, web application fingerprints, subdomains, and extracting metadata from photos. Intrusive Nmap scripts consume and can consume significant resources (CPU and bandwidth) on the destination Web server cause them to crash, break or inadvertently cause denial of service attacks. Based on the scope of your penetration testing engagement, this may not be allowed by a particular employer. Pentester should use the following scripts with caution

Update Nmap on your Kali system

Before looking at Nmap scripts, we first make sure we install the latest available version of Nmap on our Kali Linux system to have. At the time of this writing, Kali offers v7.70

A server well protected by a WAF could mean that all potential Web-based vulnerabilities would be slowed down. Conversely, a server that is not WAF protected could be catastrophic for system administrators trying to defend themselves against hackers. Our ability to detect web application firewalls on target web servers is critical as a PenTester.

The http-waf-detect script is designed to help us learn the existence of a web application firewall. It will examine the destination web server with multiple requests. First, it sends a normal web request and records the response from the server. Then it sends another request with a payload (invalid URL) and compares the answers. This method of detecting WAFs is far from perfect and may vary depending on the type of Web server and WAF product.

Here, I use the http-waf-detect.aggro argument, which instructs Nmap, all to try out its built-in attack vectors to trigger the servers WAF. Also enabled is the http-waf-detect.detectBodyChanges argument, which looks for changes in the body of HTTP requests and further increases the likelihood of detection.

As we can see in the above output, Nmap found a kind of web application firewall on the target web server. There are many commercial WAF products for administrators. To find out which WAF is in production, we need to use a different Nmap script.

. 2 Web Application Firewall Fingerprint Recognition

Learning which WAF is used can be important because each WAF has its own predefined rate limiting and detection methods. Identifying the WAF type can help the pester to avoid detecting (or remaining under the radar ) if we can preemptively learn the limitations and detection triggers of the WAFs. http-waf-fingerprint The Nmap script is designed to help us learn the exact web application firewall that will be used on a target web server. It will also try to identify its type and exact version number.

In its simplest form, we do not have to insert script arguments to get this Nmap script.

As you can see above, this particular website uses the popular Cloudflare service as a front-end to protect its website from attackers.

We can further enhance Nmap's ability to detect WAF types and versions using the http-waf-fingerprint.intensive argument. This increases the scan time and also increases the amount of noise (web traffic) generated by the script.

HTTP status codes are divided into multiple categories or "classes." The first digit defines the categories and the following numbers are subcategories specific to different types of error messages. For example, the 4xx category is a class of errors that are specific to HTTP requests that the web server can not satisfy. Like trying to display a web page that does not exist. This is defined as the "404 Not Found" status, probably one of the most popular status codes on the Internet.

Status codes are particularly useful for Pentesters because they help us identify bad, bad, and misconfigured parts of a server that may be delivering sensitive information, or they can provide us with an exploitable way to control aspects of the server.

Following Wikipedia is a list of the five HTTP status code categories below. Web application penetration testers should become familiar with all status codes and their definitions.

1xx (Informative): The request has been received, process continues

2xx (Successful): The request was successfully received, understood and accepted

3xx (redirect): Further steps must be taken to complete the request

4xx (Client Error): The request contains a malformed syntax or can not be met

5xx (Server Error): The server could have a seemingly valid Do Not Meet Requirement

The http-errors Nmap script can be used to identify interesting status codes for further investigation. [19659010] nmap -p80,443 --script http-errors targetWebsite.com

Simply calling the script http-errors is enough to get started. Ports 80 and 443 are command web server ports, but they can be changed to meet your needs.

In the above output, Nmap has detected a status of 403 indicating that the server file permissions are misconfigured and visitors have no access to the requested resource. The following is a refined command that contains several script arguments.

This particular Nmap script uses the httpspider library, so we can use arguments like httpspider.url httpspider.maxpagecount . and httpspider.maxdepth to refine our scan to specific URLs and define how many pages Nmap should crawl before stopping.

4. Finding Shared and New Servers

Subdomains are often used to host additional sites for a particular subset of users. For example, null byte (null-byte.wonderhowto.com) is one of many subdomains in the WonderHowTo network of websites. Popular subdomains are m .facebook.com, mobile .twitter.com, and Developer .github.com

These subdomains are useful for hackers because of the Subdomain and maindomain can actually be hosted on completely different virtual private servers in different parts of the world and may not have the same level of security.

The DNS Brute script built into Nmap is designed to enumerate subdomains and their corresponding server IP addresses.

This particular website has many subdomains configured and not all have the same IP address. At this point, a penetration tester can further expand its education on the newly discovered servers under this website control.

Below is a dns-brutal command that contains several script arguments .

By default, DNS brute scans with five concurrent threads. We can increase or decrease this value with dns-bruxe.threads . Depending on the type of web server, many threads cause a server crash or denial of service, which slows down or stops the site from being used by other users. Adjust this value with caution.

Dns-Brute tries about 125 popular subdomains. We can use custom subdomain lists with the argument dns-bruxe.hostlist . As we can see in the previous issue, we were able to use a comprehensive word list to identify more subdomains and IP addresses controlled by this site.

5. Extract EXIF ​​data from photos

Interchangeable image files, better known as EXIF, are information stored in JPEG, PNG, PDF, and many other file types. This embedded data can sometimes contain interesting information, including timestamps, device information, and GPS coordinates. Most websites still do not properly clean up EXIF ​​data from images, exposing them or their users to risk.

As a penetration tester, knowing what type of device a target uses, what types of payloads are generated helps us. A classic example of EXIF ​​data used to catch a black hat is the arrest of Higinio Ochoa. FBI agents extrapolated his girlfriend's geographic location using GPS data found on a photo uploaded to the Internet.

Nmap's http-exif-spider script can be used to extract interesting EXIF ​​data from photos. Such a script is not suitable for mainstream sites like Instagram, Twitter and Facebook. Large sites scrub EXIF ​​data when users upload new photos. However, personal blogs, small businesses, and businesses can not take strong security precautions or monitor what employees hire online. It is not unusual to find GPS data in photos.